Health care • Records may have included the medical reason for an appointment.

By Jennifer Dobner The Salt Lake Tribune

Published March 22, 2013 6:47 pm

This is an archived article that was published on sltrib.com in 2013, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

A West Valley City-based medical clinic has alerted federal health officials of a possible data breach after a collection of about 2,600 medical appointment records slated for shredding went missing.

The Granger Medical Clinic records had been printed from an electronic scheduling database and included the names of patients, the dates and times of appointments and the reason for the medical visit, said Steven Hester, the clinic's attorney. All of the records were from 2012.

No addresses, birth dates, medical claim information, Social Security numbers or financial information, including credit card numbers, were included in the records, Hester said. Some of the documents contained an internal medical record number, but those numbers would not be useful outside the clinic.

Staff discovered the records were missing on Jan. 22 and an internal investigation was launched, he said. Letters were sent to the affected clinic patients on Friday, the same day a news release was issued.

The Health Insurance Portability and Accountability Act  known more commonly as HIPAA  requires a records breach to be reported to federal officials, the affected patients and the media. The law requires notification within 60 days of an identified breach, the HHS web site states.

"The clinic is taking this very, very seriously," Hester said. "We have reported it to the Department of Health and Human Services. They haven't initiated an investigation, but we anticipate that they will."

HIPAA defines a breach as any use or disclosure that compromised the security or privacy of health information that poses a risk of financial, reputation or other harm to the affected person.

To date there has been no indication that any of the information has been used for any improper purpose, Hester said.

Sheila Walsh-McDonald, the data security ombudsman for the Utah Department of Health, was unaware of the Granger breach, but said there is no law requiring the clinic to notify state officials. Walsh-McDonald was appointed by Gov. Gary Herbert last year after computer hackers broke into a poorly-protected government server and stole Social Security numbers for up to 280,000 people. Less-sensitive data on another 500,000 Utahns was also taken.

Public health officials are concerned about the volume of medical records and the types of information that could potentially be made public in any breach.

"We just have to be vigilant all the time and staff need to fully understand all of the implications," she said.

Hester said Granger is implementing new data procedures and retraining staff to guard against future losses of data or documents. The changes include ending the policy of printing and shredding patient appointment records, he said.

Despite the internal investigation, Hester said it's not clear what happened to the Granger records.

The documents, which represent only a fraction of the estimated 60,000 patients on Granger's books, were thought to have been stored in a secure location, but could not be located when it came time for them to be shredded.

It also remains possible that the records were actually destroyed, but no one at the clinic made an adequate record of that action, he said.

"We don't know for sure," Hester said. "There's a chance it's not a breach, but we're acting out of caution."